modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php

   1 <?php
   2 if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
   3 /*********************************************************************************
   4  * SugarCRM Community Edition is a customer relationship management program developed by
   5  * SugarCRM, Inc. Copyright (C) 2004-2012 SugarCRM Inc.
   6  *
   7  * This program is free software; you can redistribute it and/or modify it under
   8  * the terms of the GNU Affero General Public License version 3 as published by the
   9  * Free Software Foundation with the addition of the following permission added
  10  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
  11  * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
  12  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
  13  *
  14  * This program is distributed in the hope that it will be useful, but WITHOUT
  15  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  16  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
  17  * details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License along with
  20  * this program; if not, see http://www.gnu.org/licenses or write to the Free
  21  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  22  * 02110-1301 USA.
  23  *
  24  * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
  25  * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
  26  *
  27  * The interactive user interfaces in modified source and object code versions
  28  * of this program must display Appropriate Legal Notices, as required under
  29  * Section 5 of the GNU Affero General Public License version 3.
  30  *
  31  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
  32  * these Appropriate Legal Notices must retain the display of the "Powered by
  33  * SugarCRM" logo. If the display of the logo is not reasonably feasible for
  34  * technical reasons, the Appropriate Legal Notices must display the words
  35  * "Powered by SugarCRM".
  36  ********************************************************************************/
  37
  38
  39
  40
  41
  42 /**
  43  * This file is where the user authentication occurs. No redirection should happen in this file.
  44  *
  45  */
  46 require_once('modules/Users/authentication/SugarAuthenticate/SugarAuthenticateUser.php');
  47
  48
  49 class SAMLAuthenticateUser extends SugarAuthenticateUser{
  50         /**
  51          * Does the actual authentication of the user and returns an id that will be used
  52          * to load the current user (loadUserOnSession)
  53          *
  54          * @param STRING $name
  55          * @param STRING $password
  56          * @return STRING id - used for loading the user
  57          *
  58          * Contributions by Erik Mitchell erikm@logicpd.com
  59          */
  60         function authenticateUser($name, $password) {
  61                 $GLOBALS['log']->debug('authenticating user.'); // JMH
  62 //        uncomment the line below to test on the server. this is a temporary solution - John H. (task 9069)
  63 //              $_POST['SAMLResponse'] = "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgRGVzdGluYXRpb249Imh0dHA6Ly9kZXZzdWdhci5ydHAucmFsZWlnaC5pYm0uY29tL3N1Z2FyLXNhbWwvaW5kZXgucGhwP21vZHVsZT1Vc2VycyZhbXA7YWN0aW9uPUF1dGhlbnRpY2F0ZSIgSUQ9IkZJTVJTUF8xZjUxNjc4Ni0wMTM0LTFmMGQtYWRiZS1iZWE4M2JhM2EyNTEiIEluUmVzcG9uc2VUbz0iXzhmMmFmY2UyNTJiNDVhZGVkNWE4IiBJc3N1ZUluc3RhbnQ9IjIwMTEtMTItMDhUMjA6MTU6NTVaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxzYW1sOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9sb25kby5ydHAucmFsZWlnaC5pYm0uY29tOjk0NDMvc3BzL1NBTUxJZHAvc2FtbDIwPC9zYW1sOklzc3Vlcj4NCiAgICA8c2FtbHA6U3RhdHVzPg0KICAgICAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj48L3NhbWxwOlN0YXR1c0NvZGU+DQogICAgPC9zYW1scDpTdGF0dXM+DQogICAgPHNhbWw6QXNzZXJ0aW9uIElEPSJBc3NlcnRpb24tdXVpZDFmNTE2NzdkLTAxMzQtMWE2NC05MTA4LWJlYTgzYmEzYTI1MSIgSXNzdWVJbnN0YW50PSIyMDExLTEyLTA4VDIwOjE1OjU1WiIgVmVyc2lvbj0iMi4wIj4NCiAgICAgICAgPHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwczovL2xvbmRvLnJ0cC5yYWxlaWdoLmlibS5jb206OTQ0My9zcHMvU0FNTElkcC9zYW1sMjA8L3NhbWw6SXNzdWVyPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBJZD0idXVpZDFmNTE2NzgxLTAxMzQtMWRmYS04ZDAwLWJlYTgzYmEzYTI1MSI+DQogICAgICAgICAgICA8ZHM6U2lnbmVkSW5mbz4NCiAgICAgICAgICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPg0KICAgICAgICAgICAgICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPg0KICAgICAgICAgICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjQXNzZXJ0aW9uLXV1aWQxZjUxNjc3ZC0wMTM0LTFhNjQtOTEwOC1iZWE4M2JhM2EyNTEiPg0KICAgICAgICAgICAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+DQogICAgICAgICAgICAgICAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8eGMxNG46SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczp4YzE0bj0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJ4cyBzYW1sIHhzaSI+PC94YzE0bjpJbmNsdXNpdmVOYW1lc3BhY2VzPg0KICAgICAgICAgICAgICAgICAgICAgICAgPC9kczpUcmFuc2Zvcm0+DQogICAgICAgICAgICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgICAgICAgICAgPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD4NCiAgICAgICAgICAgICAgICAgICAgPGRzOkRpZ2VzdFZhbHVlPkdMV3BGdkYwYkx3UUVMWFpNZ1ozczFKL3pSUT08L2RzOkRpZ2VzdFZhbHVlPg0KICAgICAgICAgICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPkRVaEJueU1UUmFYNlUvT2hDZ2lrN08yZ2hDaXl5akNNOWpHTmk5UE1MMXdidWkyMjNyNCtaRW9tOGdodjVpL3pCOU0yVUhCZTNpdVNEYUUyVGxWVm96Y1h3bHJSUUFaTS9lMVZDck9hRFdhWWJURjZKZ05aM1RWekpDVy9helBNa21aenROV2laY2Z4Q3hjODRkYmlCSzlCQzNOdEdVZGlwWlpQb3h4WUlZYz08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgICAgICAgPGRzOktleUluZm8+DQogICAgICAgICAgICAgICAgPGRzOlg1MDlEYXRhPg0KICAgICAgICAgICAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUMxekNDQWtDZ0F3SUJBZ0lJRWtvd1hvZlF0eWd3RFFZSktvWklodmNOQVFFRkJRQXdnWW94Q3pBSkJnTlZCQVlUQWxWVE1Rd3dDZ1lEVlFRS0V3TkpRazB4RkRBU0JnTlZCQXNUQzJ4dmJtUnZUbTlrWlRBeE1SZ3dGZ1lEVlFRTEV3OXNiMjVrYjA1dlpHVXdNVU5sYkd3eEdUQVhCZ05WQkFzVEVGSnZiM1FnUTJWeWRHbG1hV05oZEdVeElqQWdCZ05WQkFNVEdXeHZibVJ2TG5KMGNDNXlZV3hsYVdkb0xtbGliUzVqYjIwd0hoY05NVEV4TURBMU1UWXpOekF6V2hjTk1USXhNREEwTVRZek56QXpXakJ2TVFzd0NRWURWUVFHRXdKVlV6RU1NQW9HQTFVRUNoTURTVUpOTVJRd0VnWURWUVFMRXd0c2IyNWtiMDV2WkdVd01URVlNQllHQTFVRUN4TVBiRzl1Wkc5T2IyUmxNREZEWld4c01TSXdJQVlEVlFRREV4bHNiMjVrYnk1eWRIQXVjbUZzWldsbmFDNXBZbTB1WTI5dE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ1BkcHBnRnRMWXJJdUdwSE1uNXYzZzdRNXRPdHZRZzh4WW9nVjkzdnJBTWhtcUlGWkFqUkFzWXdGc3lyaFQ3UnVxckttaEhtbnEvSUlQcHVWbGhZRjZvZisyTEExZ0VkSGMyb1lBRk5WNUl5cFdRS1JjUWF6RlNHc2FqQktLUExjclNaY20zQVNHYlYySHVNKytNMFZmMWs4Q3hqM1hOb1NIRjJRZnZVUHZmUUlEQVFBQm8yQXdYakJKQmdOVkhSRUVRakJBZ1Q1UWNtOW1hV3hsVlZWSlJEcEJjSEJUY25Zd01TMUNRVk5GTFRJM1ltRmhOMlEzTFRoallUTXROR1F6T1MxaU1qYzNMVEprWm1VNE1tSXpaamxtWXpBUkJnTlZIUTRFQ2dRSVFxUWFNYVlyYmE4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQWxJd0FlZnpnRXRLeXBBazJndkhFQnk1Njc1UGtBcU5MT3ZrN2JDRVRsQnVXdTAya0N2bGtSQ09FdFJCanIrbVBHYkRaaHRTZEt3SkFibDhiSXYvYkgzVnpSVHd3ODdYaUZzVzFPbDViL3o0SVBWcmhDVFFPMWVMQ2w2N3kycHd4SmROYWxOQUFXelpERytRSjNFQlp6K3hxUVdKbktRTkVjQjY3K0xBVXNHRT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT4NCiAgICAgICAgICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgICAgICAgPC9kczpLZXlJbmZvPg0KICAgICAgICA8L2RzOlNpZ25hdHVyZT4NCiAgICAgICAgPHNhbWw6U3ViamVjdD4NCiAgICAgICAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5DLUNCVEs4OTc8L3NhbWw6TmFtZUlEPg0KICAgICAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICAgICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzhmMmFmY2UyNTJiNDVhZGVkNWE4IiBOb3RPbk9yQWZ0ZXI9IjIwMTEtMTItMDhUMjA6MTY6NTVaIiBSZWNpcGllbnQ9Imh0dHA6Ly9kZXZzdWdhci5ydHAucmFsZWlnaC5pYm0uY29tL3N1Z2FyLXNhbWwvaW5kZXgucGhwP21vZHVsZT1Vc2VycyZhbXA7YWN0aW9uPUF1dGhlbnRpY2F0ZSI+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhPg0KICAgICAgICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgICAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMi0wOFQyMDoxNDo1NVoiIE5vdE9uT3JBZnRlcj0iMjAxMy0xMi0wOFQyMDoxNjo1NVoiPg0KICAgICAgICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgICAgICAgICA8c2FtbDpBdWRpZW5jZT5waHAtc2FtbDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgICAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICAgICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTEyLTA4VDIwOjE1OjU1WiIgU2Vzc2lvbkluZGV4PSJ1dWlkMWY0ZTU2MzItMDEzNC0xNjRlLTk1MWItYmVhODNiYTNhMjUxIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDExLTEyLTA4VDIxOjE1OjU1WiI+DQogICAgICAgICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgICAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICAgICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJETl9WYWx1ZSIgTmFtZUZvcm1hdD0idXJuOmlibTpuYW1lczpJVEZJTTo1LjE6YWNjZXNzbWFuYWdlciI+DQogICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dWlkPUMtQ0JUSzg5NyxjPXVzLG91PWJsdWVwYWdlcyxvPWlibS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgICAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==";
  64
  65
  66
  67                 if(empty($_POST['SAMLResponse']))return parent::authenticateUser($name, $password);
  68
  69                 $GLOBALS['log']->debug('have saml data.'); // JMH
  70                 // Look for custom versions of settings.php if it exists
  71
  72                 require_once('modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml.php');
  73         require(get_custom_file_if_exists('modules/Users/authentication/SAMLAuthenticate/settings.php'));
  74
  75         $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']);
  76
  77                 if ($samlresponse->is_valid()){
  78                         $GLOBALS['log']->debug('response is valid');
  79                         $customFields = $this->getAdditionalFieldsToSelect($samlresponse, $settings);
  80                         $GLOBALS['log']->debug('got this many custom fields:' . count($customFields));
  81
  82             $id = $this->get_user_id($samlresponse, $settings);
  83             $user = $this->fetch_user($id, $settings->id);
  84
  85                         //user already exists use this one
  86                         if ($user->id){
  87                                 $GLOBALS['log']->debug('have db results'); // JMH
  88                                 if($user->status != 'Inactive')
  89                                 {
  90                                         $GLOBALS['log']->debug('have current user'); // JMH
  91                                         $this->updateCustomFields($user, $samlresponse, $settings);
  92                                         return $user->id;
  93                                 }
  94                                 else
  95                                 {
  96                                         $GLOBALS['log']->debug('have inactive user'); // JMH
  97                                         return '';
  98                                 }
  99                         }
 100                         else
 101                         {
 102                 $xmlDoc = $samlresponse->xml;
 103                 $xpath = new DOMXpath($xmlDoc);
 104                 if (isset($settings->customCreateFunction))
 105                 {
 106                     return call_user_func($settings->customCreateFunction, $this, $samlresponse->get_nameid(), $xpath, $settings);
 107                 } else {
 108                     return $this->createUser($samlresponse->get_nameid(), $xpath, $settings);
 109                 }
 110                         }
 111 //      comment out the following two lines for testing - John H. (task 9069)
 112                 }
 113                 return '';
 114         }
 115
 116
 117         /**
 118         * Updates the custom fields listed in settings->saml_settings['update'] in our
 119         * db records with the data from the xml in the saml assertion. Every field
 120         * listed in the ['update'] array is a key whose value is a (hopefully) valid
 121         * xpath, which in turn can be used to retrive the value of the node specified
 122         * by that xpath. If the value of the node does not equal the value in our
 123         * records, update our records to match the value from the xml.
 124         *
 125         * @param User $user - user fetched from our db.
 126         * @param SamlResponse $samlresponse - saml provider response.
 127         * @param SamlSettings $settings - our settings object.
 128         * @return int - 0 = no action taken, 1 = user record saved, -1 = no update.
 129         *
 130         * Contributed by Mike Andersen, SugarCRM.
 131         **/
 132         function updateCustomFields($user, $samlresponse, $settings)
 133         {
 134                 $customFields = $this->getCustomFields($settings, 'update');
 135
 136                 if (count($customFields) == 0)
 137                 {
 138                         $GLOBALS['log']->debug("No custom fields! So returning 0."); // JMH
 139                         return 0;
 140                 }
 141
 142                 $GLOBALS['log']->debug("updateCF()... userid={$user->id}"); // JMH
 143
 144                 $xmlDoc = $samlresponse->xml;
 145                 $xpath = new DOMXpath($xmlDoc);
 146                 $GLOBALS['log']->debug("Created xpath object."); // JMH
 147
 148                 $customFieldUpdated = false;
 149
 150                 foreach ($customFields as $field)
 151                 {
 152                         $GLOBALS['log']->debug("Top of fields loop with $field."); // JMH
 153                         if (!property_exists($user, $field))
 154                         {
 155                                 $GLOBALS['log']->debug("$field is not a user field. \nThe fields are: " . var_export(array_keys(get_object_vars($user)), TRUE)); // JMH
 156                                 // custom field not listed in db query results!
 157                                 continue;
 158                         }
 159                         $customFieldValue = $user->$field;
 160
 161                         $xmlNodes = $xpath->query($settings->saml_settings['update'][$field]);
 162                         if ($xmlNodes === false)
 163                         {
 164                                 // malformed xpath!
 165                                 $GLOBALS['log']->debug("$field contains bad xpath: " . $settings->saml_settings['update'][$field]); // JMH
 166                                 continue;
 167                         }
 168                         $GLOBALS['log']->debug("updateCF(): 3"); // JMH
 169                         if ($xmlNodes->length == 0)
 170                         {
 171                                 // no nodes match xpath!
 172                                 $GLOBALS['log']->debug("$field no nodes match this xpath: " . $settings->saml_settings['update'][$field]); // JMH
 173                                 continue;
 174                         }
 175
 176                         $xmlValue = $xmlNodes->item(0)->nodeValue;
 177                         $GLOBALS['log']->debug("$field xpath returned $xmlValue"); // JMH
 178
 179                         if ($customFieldValue != $xmlValue)
 180                         {
 181                                 // need to update our user record.
 182                                 $customFieldUpdated = true;
 183                                 $user->$field = $xmlValue;
 184                                 $GLOBALS['log']->debug("db is out of date. setting {$field} to {$xmlValue}"); // JMH
 185                         }
 186                 }
 187
 188                 if ($customFieldUpdated)
 189                 {
 190                         $GLOBALS['log']->debug("updateCustomFields calling user->save() and returning 0"); // JMH
 191                         $user->save();
 192                         return 1;
 193                 }
 194
 195                 $GLOBALS['log']->debug("updateCustomFields found no fields to update. Returning -1"); // JMH
 196                 return -1;
 197         }
 198
 199
 200         /**
 201         * Determines if there are custom fields to add to our select statement, and
 202         * returns a comma prepended, comma-delimited list of those custom fields.
 203         *
 204         * @param SamlResponse $samlresponse
 205         * @param SamlSettings $settings
 206         * @return String $additionalFields = either empty, or ", field1[, field2, fieldn]"
 207         *
 208         * Contributed by Mike Andersen, SugarCRM.
 209         **/
 210         function getAdditionalFieldsToSelect($samlresponse, $settings)
 211         {
 212                 if (isset($settings->saml_settings) && isset($settings->saml_settings['update']) && count($settings->saml_settings['update']) > 0)
 213         {
 214                         return ',' . implode(',', $this->getCustomFields($settings, 'update'));
 215                 }
 216                 return '';
 217         }
 218
 219
 220         /**
 221         * Returns an array of custom field names. These names are the keys in the
 222         * 'update' hash in $settings->saml_settings hash.
 223         * See modules/Users/authentication/SAMLAuthenticate/settings.php for details.
 224         *
 225         * @param SamlSettings $settings
 226         * @param String $which - which custom fields: 'check', 'create' or 'update'
 227         * @return Array - list of custom field names.
 228         *
 229         * Contributed by Mike Andersen, SugarCRM.
 230         **/
 231         function getCustomFields($settings, $which)
 232         {
 233                 if (IsSet($settings->saml_settings[$which]))
 234                 {
 235                         return array_keys($settings->saml_settings[$which]);
 236                 }
 237                 else
 238                 {
 239                         $empty = array();
 240                         return $empty;
 241                 }
 242         }
 243
 244
 245
 246         /**
 247          * Creates a user with the given User Name and returns the id of that new user
 248          * populates the user with what was set in the SAML Response
 249          *
 250          * @param STRING $name
 251          * @param DOMXpath $xpath
 252          * @param SamlSettings $settings - our settings object.
 253          * @return STRING $id
 254          */
 255         function createUser($name, $xpath, $settings)
 256   {
 257         $GLOBALS['log']->debug("Called createUser");
 258           $user = new User();
 259                 $user->user_name = $name;
 260                 $user->email1 = $name;
 261                 $user->last_name = $name;
 262                 $user->employee_status = 'Active';
 263                 $user->status = 'Active';
 264                 $user->is_admin = 0;
 265                 $user->external_auth_only = 1;
 266                 $user->system_generated_password = 0;
 267
 268                 // Loop through the create custom fields and update their values in the
 269                 // user object from the xml SAML response.
 270                 $customFields = $this->getCustomFields($settings, 'create');
 271         $GLOBALS['log']->debug("number of custom fields: " . count($customFields));
 272                 foreach ($customFields as $field)
 273                 {
 274                         $GLOBALS['log']->debug("xpath for $field is " . $settings->saml_settings['create'][$field]);
 275                         $xmlNodes = $xpath->query($settings->saml_settings['create'][$field]);
 276                         if ($xmlNodes === false)
 277                         {
 278                                 // malformed xpath!
 279                                 $GLOBALS['log']->debug("Bad xpath: " . $settings->saml_settings['create'][$field]);
 280                                 continue;
 281                         }
 282                         if ($xmlNodes->length == 0)
 283                         {
 284                                 // no nodes match xpath!
 285                                 $GLOBALS['log']->debug("No nodes match this xpath: " . $settings->saml_settings['create'][$field]);
 286                                 continue;
 287                         }
 288
 289                         if ($field == 'id')
 290                         {
 291                                 $user->new_with_id = true;
 292                         }
 293
 294                         $xmlValue = $xmlNodes->item(0)->nodeValue;
 295                         $GLOBALS['log']->debug("Setting $field to $xmlValue");
 296                         $user->$field = $xmlValue;
 297                 }
 298
 299         $GLOBALS['log']->debug("finished loop - saving.");
 300                 $user->save();
 301         $GLOBALS['log']->debug("New user id is " . $user->id);
 302                 return $user->id;
 303         }
 304
 305     /**
 306      * Retrieves user ID from SamlResponse according to SamlSettings
 307      *
 308      * @param SamlResponse $samlresponse
 309      * @param SamlSettings $settings
 310      * @return string
 311      */
 312     protected function get_user_id($samlresponse, $settings)
 313     {
 314         if (isset($settings->saml_settings['check']['user_name']))
 315         {
 316             $xmlDoc = $samlresponse->xml;
 317             $xpath = new DOMXpath($xmlDoc);
 318             $query = $settings->saml_settings['check']['user_name'];
 319             $entries = $xpath->query($query);
 320             $name_id = $entries->item(0)->nodeValue;
 321         }
 322         else
 323         {
 324             $name_id = $samlresponse->get_nameid();
 325         }
 326
 327         return $name_id;
 328     }
 329
 330     /**
 331      * Fetches user by provided ID and field name
 332      *
 333      * @param mixed $id
 334      * @param string $field
 335      * @return User
 336      */
 337     protected function fetch_user($id, $field = null)
 338     {
 339         $user = new User();
 340
 341         if (null !== $field)
 342         {
 343             switch ($field)
 344             {
 345                 case 'user_name':
 346                     // fetch user id by username
 347                     $sql = 'select id from users where user_name = '
 348                         . $user->db->quoted($id) . ' and deleted = 0';
 349                     $data = $user->db->fetchOne($sql);
 350                     if (is_array($data)) {
 351                         $id = reset($data);
 352                         $user->retrieve($id);
 353                     }
 354                     break;
 355                 case 'id':
 356                     $user->retrieve($id);
 357                     break;
 358                 default:
 359                     // nothing else is implemented
 360                     break;
 361             }
 362         }
 363         else
 364         {
 365             // use email as a default primary key (onelogin.com provides it)
 366             $user->retrieve_by_email_address($id);
 367         }
 368
 369         return $user;
 370     }
 371
 372     /**
 373      * This is called when a user logs in
 374      *
 375      * @param string $name
 376      * @param string $password
 377      * @param boolean $fallback - is this authentication a fallback from a failed authentication
 378      * @param array $PARAMS
 379      * @return boolean
 380      */
 381     public function loadUserOnLogin($name, $password, $fallback = false, $PARAMS = array())
 382     {
 383         // provide dummy login and password to parent class so that authentication
 384         // process could go on
 385         return parent::loadUserOnLogin('onelogin', 'onelogin', $fallback, $PARAMS);
 386     }
 387 }
 388
 389 ?>